Fake Facebook group shows potential security issues, 1+ million gullible users

Fake Facebook group shows potential security issues, 1+ million gullible users

Summary: More than 1 million Facebook users could've downloaded malware or landing in a phishing scam. The onus is on Facebook to take more proactive measures. The catch? There is little Facebook can do.


On Monday night I was up late surfing the Web when I noticed a problem (other than the fact that I was up late surfing the Web). It was a Facebook problem, relative to a group invitation I received. The invitation read: "Facebook MessengerTM NEW Facebook Messenger Available Now For News Facebook."

Huh. I decided to check the group. I was met with the following (click to enlarge):

I knew immediately that something was wrong. It was clearly not a Facebook-endorsed application or download site and was also obviously not created as part of the Facebook Developer Network. How did I know this? Well, the URL to the download site and lots of weird characters, namely. There were a bevy of different languages strewn throughout the page. And there was this message:

"Note: You have to Invite your all Friends and tell Them to Download it so you can chat with your friends on FB Messenger and Its Truste Download so Dont Worry about the program." (sic)


Out of curiosity I went to the download site to see what was there (Not recommended -- never click on suspicious links. Do as I say, not as I do) and was met with a really ugly download site for a really ugly tool bar (click to enlarge):

It made me raise my eyebrow for sure. I wasn't certain if there was anything malicious about it, and I'm certainly not qualified to know for sure, so I asked my buddy Damon Cortesi of Alchemy Security to take a look. Interestingly enough, he said the software behind the toolbar (Conduit -- which provides a white label solution others can use) is TrustE certified.

"This is actually another discussion entirely regarding the inherent lack of trust that such sites actually provide. It's somewhat depressing," he said.

Cortesi didn't find anything especially malicious -- and the toolbar itself did appear to be safe and legitimate -- but he did find some questionable links. A bevy of "free SMS" sites included -- so perhaps this is a model for adware if not malware? Or potential click fraud?

"In this day of the ad-supported Internet, page views can be more valuable and cost-effective than malware that will only infect 1 percent of potential victims," Cortesi said. "It's really odd. Some sites are completely legit while others are just derivatives of the shady-ness."

Does it really matter if nothing bad was found? It just as easily could have been malicious. This is group developed on Facebook, claiming to be an official Facebook tool, linking off of the site to a questionable downloadable application. You say, "Well, will Facebook delete it?" They did, but only after I alerted them to the issue on Monday night. And not before the group had more than 1 million users. And it didn't appear, according to Cortesi, that installing the application forced people to join the group. It appeared that people willingly joined this suspect group.

No, really. See below:

When I asked Facebook for comment about the group's removal I received the following response from Simon Axten:

"Our user operations team investigated this group and removed it as well as another similar one. Facebook's policy is to remove intentionally deceptive groups when they're reported to us," he said.

Record scratch. "Reported to us." This is dangerous. More than 1 million of Facebook's users could've been in danger of downloading malware or landing on some sort of phishing scam. The onus is somewhat on Facebook to take more proactive measures when it comes to monitoring these groups and posted links (or maybe incorporating some "you are leaving Facebook warning system" as they do with email messages). Unfortunately at this point in time there is little else Facebook can do.

"Not unless they have a bank of virtual hosts in place that scrape all of their links, automatically browse them and check for malware infections," Cortesi said. "While measures to prevent malware are in place on Google and within popular browsers such as Internet Explorer and Firefox, validating every link in the world's largest social network is a challenge that does not currently justify the investment. Such is the challenge of any organization balancing the inherent risk of doing business on the Internet with the overwhelming rewards."

While Facebook figures this no-win situation out, users need to start paying more attention to the types of groups they join and the third-party downloads they install on their machines.

"This issue once again highlights the inherent trust that users have in social networks and those users' need to be 'cool' outweighing common sense," said Bill Pennington, senior vice president of services, WhiteHat Security. "Mix that blind trust with people who want to do bad things and you've got a volatile cocktail of mob mentality and Russian hackers."

Topics: Social Enterprise, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Nice Catch

    This issue is especially important for two reasons.

    One, the prevalence of new applications in general on FB opens the opportunity to have wrong-doers take advantage as mentioned.

    Two, the lack of understanding by the general internet user about malicious code, particularly for a remote download like this one, is massively concerning for me. How can you trust invitations to participate in new activities if your own circle of contacts can't see through them upon initial review?

    I'd like to see FB put in place an approval process for new apps. Anything not approved should not be rolled out, no questions asked.

    Anyone else feel this way?
  • Huh?

    "validating every link in the world?s largest social network is a challenge that does not currently justify ..."
    This is like saying that validating every dollar bill a business gets does not justify the losses due to counterfit.
    Once a site/business loses my trust they've (and their advertisers) lost my business!
    • you have to be proactive

      it might lose your business only for a while, because it will show up again under a different domain name and may be a few background colors changed.;)
      Linux Geek
  • RE: Fake Facebook group shows potential security issues, 1 million gullibl

    Don't be so gullible!! If you feel something is wrong, don't
    trust it. If you have no clue, find out before you download
    anything even if it looks a sure deal.
  • RE: Fake Facebook group shows potential security issues, 1 million gullible users

    Jennifer Leggio and Damon Cortesi aptly point out that toolbars have a poor reputation, but Conduit is working hard to change that. We appreciate the acknowledgement that our platform and the FB Tools toolbar are safe. We went through the exhaustive TRUSTe download certification process and earned a spot on the safe software whitelist to prove that toolbars built on our platform are safe for users. Like YouTube, we cannot control what content our web publishers put on their toolbar, but it is NOT true that it ?just as easily could have been malicious.? We maintain a team of people whose only job is to ensure that our 180,000 web publishers are adhering to our strict privacy and security policies.
    Adam Boyden
  • Only Windows Users Fell For This

    They fall for anything.
    • Not for long

      As LInux becomes more user-friendly, windows-
      only idiots will be able to become linux
      idiots; they'll still click on anything. See,
      geeks already operate with suspicious natures,
      and till recently, that's all that used LInux.
      As people move to LInux, Linux will become a
      viable operating system to hack--and it WILL be
      hackable; scratch that--it IS hackable by
      someone who sees a genuine reason to do it and
      has genuine skill at it.
      • Not unless...

        Their particular distribution gets targeted (not a sure thing even then, as distributions screw up their updates occasionally).
        I mean, it's not as though an RPM is going to have the least effect on any Debian derived distro, nor any Slackware derived distro either.
        It'd be as unlikely as a DLL affecting a Mac.
        As long as no Linux distribution provably exceeds Apple's market share, malware authors won't see any use targeting Linux. (How are you gonna prove a Free OS's market ahare, anyway?)
    • Smarmy elitist comments like this, leave a stink on all of us.

      And show your prejudice and ignorance.
      No one pulled the OS chain in this story. But, Fanbois gotta crawl out of the woodwork and flame any chance they get.
    • OK, that's just wrong

      There are many naive computer users who are clueless about the nasties out there on the intertubes. It's platform independent.
  • Correctly said

    More often than not, Linux users are busy trying to
    figure out which mash of alphabet soup to use to add a
    thumb drive...
  • you posted "victims"/members pics/names

    you should have obscured or clouded out their names
    • Huh?

      These people have their faces and profiles out there for the whole world to view anyhow. What's the diff?
  • Caveat FBer

    in the beginning I tried a few FB quizzes and then I began to wonder if eventually I would get some malware so I closed down all my apps and block any new ones I get invited to try. I don't miss teh plant a plant or throw a snowball etc. FB is great for locating old friends but for anything else it's a mine field.
  • RE: Fake Facebook group shows potential security issues, 1 million gullible users

    thanks for the heads up this it is one reason I'm not much of a joiner I Hate chat rooms and don't like messengers. Of course I am older and prefer to sit curled up with a good paperback book to e books and I love to receive and write Long letters ....it's the whole anticipation in the waiting and getting to curl up somewhere anywhere even in the rain or a soft snow and read something I waited for that moves me. so keep the messengers and instant chats I'll stick to letters as much as possible and read my books and going to the library.
    • and you posted here...

      I thought you were reading a book or writing a letter???
  • RE: Fake Facebook group shows potential security issues, 1 million gullible users

    Good catch! thanks for the info. I know I wouldn't have caught it. Here's a suggestion for Facebook. My Space has a warning. Facebook could just post a warning that you are about to leave the official Facebook website and if you do you do it at your own risk. Then they can get feedback from users who do check it out and report back to them. That way they only have to check out what is reported instead of going thru all the mess. But then again if they hired some more people to do just that, go thru the site and determine which apps and groups were safe for all of us to venture onto, they would be contributing to the economic growth of our country and creating jobs. Wow! Wouldn't that be a kudos for FB.
  • Back in the day

    like (1994-ish), we used to hand out our email addresses to any site that asked for it. Hey there was no such thing as spam back then -- who knew. So today, all these social networking sites are collecting all sorts of personal information about you. With Identity Theft growing exponentially -- 10 million victims in the US alone -- something tells me it's just a matter of time til the bad guys figure out how to strike gold in this information mine.
  • RE: Fake Facebook group shows potential security issues, 1 million gullible users

    I posted something something similar to that on March 3rd on Facebook Here was my details http://stlbob.com/facebook/ related to what I had found. And of course my diatribe about the whole thing. Since the redesign, I haven't seen that stuff anymore.

  • Answer: We Need to Teach Media Consumerism

    This is another example of how, as a society,
    most of us are not prepared or educated on how
    to be true consumers of new media. Too few
    people know this (as demonstrated by the 1m
    Facebook members that became fans). This
    happens will all types of people: adults,
    children, seniors, men, women.

    A friend of mine that is not very computer
    literate recently had her computer infected
    with adware that she received from clicking on
    a "win a free vacation / million dollars" add
    on a gaming site. She called me very upset,
    complaining that her "computer was poping up
    windows she didn't open" and didn't know how
    this happened. So I went over to fix this, and
    asked her had she "clicked on any ads".

    After she explained what she did to me, I asked
    her point blank "If a strange man came up to
    you, tapped you on the shoulder, and said 'If
    you come with me for a moment,I'll give you a
    free vacation', would you go?" She said maybe,
    and this let to a discussion of what she would
    use to make an informed decision. Did he seem
    trustworthy, was he dressed well, etc.

    We need to teach people using computers that
    easy, accessible, and convenient does not mean
    trustworthy. Often, it just means the